Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    skibidirat.exe

  • Size

    41KB

  • Sample

    240805-n9779ayhmd

  • MD5

    f2e5db54a0c2fcea960e780a0f2f9084

  • SHA1

    ea761e056da05eedcd002595b3f2e9dae8c4d475

  • SHA256

    5671047446840afc32551f04b3fc8ddcc59d7440d23ffa9cd84f88a178f29e22

  • SHA512

    8fddd587e7c5379d83857c1b6e2f0a9b987212a8c62bd5d9214870d1157ca35407d889bcb924904be40d4d87d61df117a0bc8ded7bf43c44dc0705d5f56036f8

  • SSDEEP

    768:I3MEkvhOq0S5us9VYCfRaYVO8MoJpJIF5PG9neb6vOwhZ35iI:6MEk5T0EDfz0Hfo3aFI9eb6vOwT8I

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

mKfmwhMRsVlgqzJg

Attributes
  • Install_directory

    %AppData%

  • install_file

    Windows host process.exe

  • pastebin_url

    https://pastebin.com/raw/BZjSD36y

aes.plain

Targets

    • Target

      skibidirat.exe

    • Size

      41KB

    • MD5

      f2e5db54a0c2fcea960e780a0f2f9084

    • SHA1

      ea761e056da05eedcd002595b3f2e9dae8c4d475

    • SHA256

      5671047446840afc32551f04b3fc8ddcc59d7440d23ffa9cd84f88a178f29e22

    • SHA512

      8fddd587e7c5379d83857c1b6e2f0a9b987212a8c62bd5d9214870d1157ca35407d889bcb924904be40d4d87d61df117a0bc8ded7bf43c44dc0705d5f56036f8

    • SSDEEP

      768:I3MEkvhOq0S5us9VYCfRaYVO8MoJpJIF5PG9neb6vOwhZ35iI:6MEk5T0EDfz0Hfo3aFI9eb6vOwT8I

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks